MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b77e1ad08702a9c016799930e4e8002dab1975d330cb09b42bb281eb56a05aa9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b77e1ad08702a9c016799930e4e8002dab1975d330cb09b42bb281eb56a05aa9
SHA3-384 hash: 090717e8ef5c9bc3396157f1d8a073650140e392bca40c6c4b8e1aeb50c48470d0d12935010becb173086c31801708a0
SHA1 hash: 4a85489448511f0db0ff5c4c9fc37489a0ec0a05
MD5 hash: e3a14227e75be40d87b16ed05425b1b7
humanhash: violet-uniform-gee-winner
File name:cRHBa.xlsm
Download: download sample
Signature AgentTesla
Create hunting rule
File size:420'884 bytes
First seen:2020-05-04 22:46:34 UTC
Last seen:2020-05-04 23:56:42 UTC
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 12288:gX49w8fyunGthwu8kxPthZugvq4jzjSGUuCOc:gX49b7AhFxPthZnvL3t+
Threatray 10'694 similar samples on MalwareBazaar
TLSH 5894233FD298BB9ECAB3EA7D8D448AD7231653DD335078B9686C8888066F12EC071D51
Reporter abuse_ch
Tags:AgentTesla xlsm


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: yamiox.site
Sending IP: 62.173.142.142
From: Sales<suapport@yamiox.site>
Subject: Purchase Order
Attachment: cRHBa.xlsm

AgentTesla payload URL:
https://ihpmed.ae/pp.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Doc.Dropper.Agent-7758918-0
Create hunting rule

Gathering data
Threat name:
Document-Word.Trojan.Rdn
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 04:03:13 UTC
File Type:
Document
Extracted files:
28
AV detection:
14 of 31 (45.16%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w57bvuehaku4aftzteyoj2aafwvrs5otgdfqtnblwka6wvvalkuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10511cc75b1cf355168a1ea5618952bce96a0c219c618186b006551ece942923
AgentTesla
165f51e7991c74251f223156e7b02d9048c7679eed85f09d163171376857e18e
AgentTesla
74a6daf75df0451691470f101c01b44a13d5d1677b5e137bd41c2d65f6471a2e
AgentTesla
aad02f97afd49f0c54f1d5b38bf4012640eb5032a44b077376f63b5c15638f1c
AgentTesla
b529726e95332589a36b05c0c005c0ff08ff3a6814b4700f1613cb4b2fb405c0
AgentTesla
b98f6ad80f1ab3459c9e3626b1113eba28dcc4d07f696daee1050a884900fd80
AgentTesla
bcfe28b074cc1d9b0fb7896ee3eb4d28c240bee33cb76578f0f9f1ef90ab92e6
AgentTesla
cc0c4304983149512f7a6932d67fc4bb4441f0a35863c9b15f9afd27fd7a615b
AgentTesla
f8166c3c857a7a3ba99515cf6ae242a78050fba7608e24a88e2559e0063a187a
AgentTesla
f95cc62c0992c9c2941bce9cac522e24e870a98b712a4823e891c665fa5350b1
AgentTesla
+ 10'684 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-75k3lt89lx/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Office loads VBA resources, possible macro or embedded object present
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://ihpmed.ae/pp.exe
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:win_alina_pos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_gootkit_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Excel file xlsm b77e1ad08702a9c016799930e4e8002dab1975d330cb09b42bb281eb56a05aa9

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments